sabin ran | 26 Feb 12:47 2015
Picon

modsecurity not detecting php reverse shell

hi,
I implemented modsecurity and clamav in a server, and used rules,
 modsecurity_crs_46_av_scanning.conf
modsecurity_crs_45_trojans.conf

The found out during upload of php-reverse-shell.php file clamav wont detect it as a malware and modsecurity wont block it. similarly the modsecurity_crs_45_trojans.conf wont detect it.

Is there any way I can detect reverse-shell files and similar malware??

Many thanks.
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Fernando Sandiego | 20 Feb 17:11 2015
Picon
Picon

Disable mod security only for Magento admin path - mod_rewrite issue?

Hi all,

I want to disable modsecurity only for the administration interface of Magento (e-commerce software) but
somehow it seems to be a little bit more complicated than expected... I use CRS rules and the commercial
rules from Trustwave and both have a lot of problems when I use the administration interface. 

Due to mod_rewrite the admin interface has the path: https://www.domain.com/index.php/fancysecretpath/
mod_rewrite redirects all requests to index.php via .htaccess which is mandatory for my website setup.
Rule in .htaccess:
RewriteRule .* index.php [L]

I created a whitelist file, loaded it after all the other rules (CRS and commercial Trustwave rules). I
tried the following to disable modsecurity only for the Magento admin interface path:

<LocationMatch “/index.php/fancysecretpath/”>
    SecRuleEngine Off
</LocationMatch>

Unfortunately this doesnt work. I still get a lot of errors. The errors I get from the audit_log also
indicate that I selected the correct path although I think this might be an issue due to the mod-rewrite...:

--281fbf04-A--
[20/Feb/2015:16:18:39 +0100] VOdQT5BMKS4AADRVCD8AAAAB 131.22.37.95 55592 243.76.42.44 443
--281fbf04-B--
GET /index.php/fancysecretpath/cms_page/edit/page_id/10/key/0780e0d17832b696019394d4256d1b/ HTTP/1.1
Host: www.domain.com
Connection: keep-alive
Authorization: Basic a2Vyc3Rpjpob2ZiVlciQk
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/40.0.2214.111 Safari/537.36
Referer: https://www.domain.com/index.php/fancysecretpath/cms_page/index/key/9ba4072355fed21be08fc6a651ecb3/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: __atuvc=0%7C31%2C0%77C33%2C04%2C4%7C35; poll1=1; frontend=0f1uu19ib1pr3j0rofecg7; adminhtml=nolcj0cetdmac8nxnteo4

--c943976e-F--
HTTP/1.1 302 Found
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
Location: https://www.domain.com/index.php/fancyadminpath/cms_page/index/key/9baed71235fed21be0fc6a611ecb3/
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Set-Cookie: adminhtml=nolcjdmnac8n14nteo4; expires=Fri, 03-Apr-2015 07:50:01 GMT; path=/;
domain=www.domain.com; secure; httponly
Content-Length: 20
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

--281fbf04-E--
--- Websitecontent code - deleted --

--281fbf04-H--
-- a loooot of false positives from the CRS and Trustwave ruleset... --
...
Apache-Handler: application/x-httpd-php
Stopwatch: 1424447401567591 755067 (- - -)
Stopwatch2: 1424447401567591 755067; combined=156288, p1=46841, p2=108794, p3=24, p4=285, p5=240,
sr=95, sw=104, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); OWASP_CRS/2.2.9.
Server: Apache
Engine-Mode: "DETECTION_ONLY"

--c943976e-Z--

Can you help me to find the right rule?

I use Apache/2.2.22 with modsecurity version 2.9.0.

Many thanks and best regards
Fernando

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Daniel Pradeep | 20 Feb 09:34 2015
Picon

Fwd: Is it possible to use dynamic variables in ModSec?

Hello Everyone!!!

I have an unique problem with ModSecurity when attempting to write custom DoS protection rules for a website. 

Please find the details of the issue and kindly let me know your suggestions/thoughts on that.

Brief

I have been trying to write rules to protect a website from DoS attacks and the website have only one page /index.php. However, each user is identified by an unique token like this /index.php?a=abcdef. This page sends a lot of ajax calls that gets and posts information, periodically, as long as the user is active in the page.

Problem

During a DoS attack, I need to block only the specific user using the token ?a=abcdef, which is dynamic. And the actual length of the token is around 45 characters, consisting of [a-zA-Z0-9]. The website is visited by either a single user or user group (more than 10 users) from an IP address. The problem is, during a DoS attack, when blocking the user, I need to take the token into consideration. However, as far as I understand, unless I use a dynamic variable like, tx.dos_counter_%{ARGS_GET}=+1, I may not be able to identify an user uniquely. But when I reference the variable like this,%{tx.dos_counter_%{ARGS_GET}} to retrieve the value of the dynamic variable, it returns null.

Questions
  1. Is it possible to use dynamic variables, as mentioned above, in ModSecurity?
  2. Is there any other way to handle this problem?
Miscellaneous

This website runs on LAMP stack (Ubuntu) with ModSecurity.

Please help me solve this issue.

Appreciated. Many thanks in advance.

Regards,

Daniel Pradeep
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Francisco Martinez | 19 Feb 16:04 2015
Picon

recommended production setups with modsecurity and nginx

Hello!

Sorry if this has been asked and re-asked, but I have been unable to find such a topic in the archive :(

Currently we are running nginx 1.6.2 and using modsecurity 2.8.0 (not the nginx_refactor branch). After running this on a Centos 6.4 with very few modifications, we hit a very strange bug where nginx was running fine and then started consuming memory like there was no tomorrow, until linux killed the process due to using too much memory. Seems from some googling that this is a relatively common problem (we are not the first ones hitting it).

We are actually planning to upgrade to nginx mainline 1.7.9 in the following weeks. Is there any recommended setup for mod_security // nginx (be it stable or mainline versions?). Looks to me that the main modsecurity is not really that stable; is the "nginx_refactor" branch more stable? There's no stable branch at all? :D

The usage of modsecurity we are using for now is rather trivial, just some counting of accesses to urls for brute force attack detection.

Thanks!
/fran
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Picon

Response_status - target value "0"

Hi all,

I have some rules to ban an IP after 3 login attempts, but it doesn't work. Modsecurity doesn't get the Response Status. I am doing logins with wrong user and password to get an 401 error from the server.

RULE:
SecRule RESPONSE_STATUS "^401" "phase:5,id:554,chain,t:none,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180"

 

[/owa/][5] Rule c3ae3ad7f0: SecRule "RESPONSE_STATUS" " <at> rx ^401" "phase:3,log,id:554,chain,t:none,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180"

[/owa/][4] Transformation completed in 0 usec.

[/owa/][4] Executing operator "rx" with param "^401" against RESPONSE_STATUS.

[/owa/][9] Target value: "0"

[/owa/][4] Operator completed in 0 usec.

[/owa/][4] Rule returned 0.

[/owa/][9] No match, chained -> mode NEXT_CHAIN.


In Bursuite I see 401 Status on responses, so why the target value is "0" in modsecurity? Does anybody know something about that?

Thanks,
Gabriel

 

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
abe abe | 15 Feb 18:55 2015
Picon

SecRuleRemoveById for a Proxyied location on apache

<!-- .hmmessage P { margin:0px; padding:0px } body.hmmessage { font-size: 12pt; font-family:Calibri } -->
Hi all,
I have an
apache 2.2.29-1.4 with mod_security 2.8.0-5.25 which is a reverse proxy with mod_proxy_http for a local java application.

I have false positive on some urls and would like to whitelist some OWASP rulesid just on the given URIs.

while  globally whitelisting a rule inside my virtualhost with
SecRuleRemoveById 960010
Both
<LocationMatch ^/(myapp/mymethod.do.*)$> SecRuleRemoveById 960010 ProxyPassMatch http://localhost:8080/$1 </LocationMatch>
and

<Location "/myapp/mymethod.do"> SecRuleRemoveById 960010 </Location> ProxyPass /myapp/mymethod.do http://localhost:8080/myapp/mymethod.do ProxyPassReverse /myapp/mymethod.do http://localhost:8080/myapp/mymethod.do

or

even
SecRuleUpdateTargetById 960010 "!REQUEST_URI:/myapp/mymethod.do"

do not work.

Since SecRuleRemoveById works in the general virtualhost context , I am quite sure that
it's not a config files inclusion order problem...

Anyone can spare some suggestion?

Thanks
a.

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Morris Taylor | 13 Feb 04:04 2015

Questions about pmFromFiles and SecRemoteRules

Dear All,

     According to the release note of Modsecurity 2.9.0
     rc-1(https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.0-rc1),
     i noticed that we can use "pmFromFile" to retrieve the files from
     remote server for rule matching and request processing within
     Modsecurity. My question is will the directives(e.g. pmFromFile,
     SecRemoteRules) be called every time while the request was being
     proceed or the mod security will cache the content of the rule
     files in memory for speeding up the request processing? If the
     answer is yes that the rule files from remote server will be
     cached, how long will it be in the cache and how modsecurity expire
     the caches? Thanks!

--

-- 
BR, Morris

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Felipe Costa | 12 Feb 23:48 2015

ModSecurity version 2.9.0 announcement


Hi,

I am proud to announce our release for the version 2.9.0.
This version 2.9.0 contains fixes.

Complete list of changes from 2.8.0 to 2.9.0 is available here:
https://github.com/SpiderLabs/ModSecurity/releases

The source and binaries (and the respective hashes) are available at:
https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.0

SHA256(modsecurity-2.9.0.tar.gz)= e2bbf789966c1f80094d88d9085a81bde082b2054f8e38e0db571ca49208f434
SHA256(ModSecurityIIS_2.9.0-32b.msi)= 3e7fc5e48c43738352935a2cc58dcd9272ed9e6d8ef4f6d57609183bcc443a57
SHA256(ModSecurityIIS_2.9.0-64b.msi)= cda1abf2c2e6f58b4dd33f4a16ab84c8b861663957dbdc2cf8ad7a4df1ad6645

We would like to thank you all that helped to test the release candidate
one and two, a really great job. Thanks!

The most important change from v2.9.0-RC2 to v2.9.0:

* Fix apr_crypto.h include, now checking if apr_crypto.h is available by
  checking the definition WITH_APU_CRYPTO.
  [martinjina and ModSecurity team]

Br,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>

Kianoosh Kashefi | 8 Feb 13:37 2015
Picon

Integrating Apache customlog with mod_security errorlog

I've set up apache 2.2 and mod_security 2 on a centos 6 machine. As
you know mod_security produces it's own kind of error log file which
it's output is something like :

[Sun Feb 08 13:53:25 2015] [error] [client 192.168.22.90] ModSecurity:
 [file "/etc/httpd/conf.d/mod_security2/base_rules/modsecurity_crs_30_http_policy.conf"]
[line "31"] [id "960032"] [rev "2"] [msg "Method is not allowed by
policy"] [data "GET"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"]
[maturity "9"] [accuracy "9"] [tag
"OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag
"OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] Access
denied with code 403 (phase 1). Match of "within
%{tx.allowed_methods}" against "REQUEST_METHOD" required. [hostname
"192.168.110.13"] [uri "/favicon.ico"] [unique_id
"VNc5HcCoFt0AACRCAkcAAAAD"]

I need this log plus several further parameters which are : Client
port and ip, server port and ip and user-agent info which can be
easily set to be written in another log file like this:

LogFormat "[Remote_Address \"%{REMOTE_ADDR}M\"] [Remote_Port
\"%{REMOTE_PORT}M\"] [Server_Address       \"%{SERVER_ADDR}M\"]
[Server_Port \"%{SERVER_PORT}M\"] [User_Agent \"%{User-agent}i\"]\n"
custom-format-1

     CustomLog logs/error-v.log custom-format-1

which returns :

[Remote_Address "192.168.22.90"] [Remote_Port "55025"] [Server_Address
"192.168.110.13"] [Server_Port "8888"] [User_Agent "Mozilla/5.0 (X11;
Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/40.0.2214.93 Safari/537.36"]

but the problem is that I want both these logs in the same file and I
have tried to write both logs into the same file in apache httpd.conf
but they are written into two separate lines (like a "\n" is used in
the end of mod_security error log) which for my particular use is
unacceptable.

What should I do to get both logs in the same file and in a single line of text.

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

rewt rewt | 6 Feb 16:46 2015

SecRuleInheritance Off not working

Dear all,
I am not sure to undertsand if i am correctly using SecRuleInheritance or not.

I would like to have separated configurations depending on Vhost.
For example, i d like:

www.site1.com use core rules with anomaly scoring config
www.site2.com without core rules and just Trustwave commercial Joomla rules for example.

The problem is that if i configure :

<VirtualHost www.site2.com:80>
SecRuleInheritance Off
Include custom-msec-generic-config.conf
Include trustwave-joomla.conf
xxxx
xxxx
</VirtualHost>

Now, if i check the log and try a simple SQL injection i still have the OWASP CRS blocking me with anomaly score...

Where am i wrong ?

Kind regards,

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Picon

Modsecurity and error 500 with IIS 8

Hi members

Has someone dealed with the 500 error problem with modsecurity and IIS? In the modsecurity logs I see a lot of 500 errors: internal server error. The problem is the SecRequestBodyAccess On rule. If a turn it off everything works fine without errors.

Thanks
Gabriel

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Gmane